==Phrack Inc.==
Volume Four, Issue Thirty-Nine, File 12 of 13
PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
PWN PWN
PWN Phrack World News PWN
PWN PWN
PWN Issue XXXIX / Part Three of Four PWN
PWN PWN
PWN Compiled by Datastream Cowboy PWN
PWN PWN
PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
New Phones Stymie FBI Wiretaps April 29, 1992
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
By Simson L. Garfinkel (Christian Science Monitor)(Page 12)
"Legislation proposed by Justice Department would change the way
telecommunications equipment is developed in the United States."
For more than 50 years, wiretapping a telephone has been no more difficult than
attaching two clips to a telephone line. Although legal wiretaps in the United
States have always required the approval of a judge or magistrate, the actual
wiretap has never been a technical problem. Now that is changing, thanks to
the same revolution in communications that has made car phones, picture
telephones, and fax machines possible.
The only thing a person tapping a digital telephone would hear is the
indecipherable hiss and pop of digital bits streaming past. Cellular
telephones and fiber-optic communications systems present a would-be wiretapper
with an even more difficult task: There isn't any wire to tap.
Although cellular radio calls can be readily listened in on with hand-held
scanners, it is nearly impossible to pick up a particular conversation -- or
monitor a particular telephone -- without direct access to the cellular
telephone "switch," which is responsible for connecting the radio telephones
with the conventional telephone network.
This spring, the Federal Bureau of Investigation (FBI) unveiled legislation
that would require telephone companies to include provisions in their equipment
for conducting court-ordered wiretaps. But critics of the legislation,
including some members of Congress, claim that the proposals would expand the
FBI's wiretap authority and place an undue burden on the telecommunications
industry.
Both sides agree that if provisions for monitoring communications are not made
in the planning stages of new equipment, it may eventually become impossible
for law enforcement personnel to conduct wiretaps.
"If the technology is not fixed in the future, I could bring an order [for a
wiretap] to the telephone company, and because the technology wasn't designed
with our requirement in mind, that person could not [comply with the court
order]," says James K. Kalstrom, the FBI's chief of engineering.
The proposed legislation would require the Federal Communications Commission
(FCC) to establish standards and features for makers of all electronic
communications systems to put into their equipment, require modification of all
existing equipment within 180 days, and prohibit the sale or use of any
equipment in the US that did not comply. The fine for violating the law would
be $10,000 per day.
"The FBI proposal is unprecedented," says Representative Don Edwards (D) of
California, chairman of the House Judiciary Subcommittee on Civil and
Constitutional Rights and an outspoken critic of the proposal. "It would give
the government a role in the design and manufacture of all telecommunications
equipment and services."
Equally unprecedented, says Congressman Edwards, is the legislation's breadth:
The law would cover every form of electronic communications, including cellular
telephones, fiber optics, satellite, microwave, and wires. It would cover
electronic mail systems, fax machines, and all networked computer systems. It
would also cover all private telephone exchanges -- including virtually every
office telephone system in the country.
Many civil liberties advocates worry that if the ability to wiretap is
specifically built into every phone system, there will be instances of its
abuse by unauthorized parties.
Early this year, FBI director William Sessions and Attorney General William
Barr met with Senator Ernest F. Hollings (D) of South Carolina, chairman of the
Senate Commerce Committee, and stressed the importance of the proposal for law
enforcement.
Modifying the nation's communications systems won't come cheaply. Although
the cost of modifying existing phone systems could be as much as $300 million,
"We need to think of the costs if we fail to enact this legislation," said Mr.
Sessions before a meeting of the Commerce, Justice, State, and Judiciary
Subcommittees in April. The legislation would pass the $300 million price-tag
along to telephone subscribers, at an estimated cost of 20 cents per line.
But an ad-hoc industry coalition of electronic communications and computer
companies has objected not only to the cost, but also to the substance of the
FBI's proposal. In addition, they say that FCC licensing of new technology
would impede its development and hinder competitiveness abroad.
Earlier this month, a group of 25 trade associations and major companies,
including AT&T, GTE, and IBM, sent a letter to Senator Hollings saying that "no
legislative solution is necessary." Instead, the companies expressed their
willingness to cooperate with the FBI's needs.
FBI officials insist that legislation is necessary. "If we just depend on
jaw-boning and waving the flag, there will be pockets, areas, certain places"
where technology prevents law enforcement from making a tap, says Mr. Kalstrom,
the FBI engineer. "Unless it is mandatory, people will not cooperate."
For example, Kalstrom says, today's cellular telephone systems were not built
with the needs of law enforcement in mind. "Some companies have modified their
equipment and we can conduct surveillance," he says. But half of the companies
in the US haven't, he adds.
Jo-Anne Basile, director of federal relations for the Cellular
Telecommunications Industry Association here in Washington, D.C., disagrees.
"There have been problems in some of the big cities because of [limited]
capacity," Ms. Basile says. For example, in some cities, cellular operators
had to comply with requests for wiretaps by using limited "ports" designed for
equipment servicing. Equipment now being installed, though, has greatly
expanded wiretap capacity in those areas.
"We believe that legislation is not necessary because we have cooperated in
the past, and we intend on cooperating in the future," she adds.
The real danger of the FBI's proposal is that the wiretap provisions built in
for use by the FBI could be subverted and used by domestic criminals or
commercial spies from foreign countries, says Jerry Berman, director of the
Electronic Frontier Foundation, a computer users' protection group in
Cambridge, Mass.
"Anytime there is a hearing on computer hackers, computer security, or
intrusion into AT&T, there is a discussion that these companies are not doing
enough for security. Now here is a whole proposal saying, 'Let's make our
computers more vulnerable.' If you make it more vulnerable for the Bureau,
don't you make it more vulnerable for the computer thief?"
Civil liberties advocates also worry that making wiretaps easier will have the
effect of encouraging their use -- something that the FBI vehemently denies.
"Doing a wiretap has nothing to do with the [technical] ease," says Kalstrom.
"It is a long legal process that we must meet trying all other investigations
before we can petition the court."
Kalstrom points out the relative ease of doing a wiretap with today's telephone
system, then cites the federal "Wiretap Report," which states that there were
only 872 court-approved wiretaps nationwide in 1990. "Ease is not the issue.
There is a great dedication of manpower and cost," he says. But digital
wiretapping has the potential for drastically lowering the personnel
requirements and costs associated with this form of electronic surveillance.
Computers could listen to the phone calls, sitting a 24-hour vigil at a low
cost compared with the salary of a flesh-and-blood investigator.
"Now we are seeing the development of more effective voice-recognition
systems," says Edwards. "Put voice recognition together with remote-access
monitoring, and the implications are bracing, to say the least."
Indeed, it seems that the only thing both sides agree on is that digital
telephone systems will mean more secure communications for everybody.
"It is extremely easy today to do a wiretap: Anybody with a little bit of
knowledge can climb a telephone poll today and wiretap someone's lines," says
Kalstrom. "When the digital network goes end-to-end digital, that will
preclude amateur night. It's a much safer network from the privacy point of
view."
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FBI Fight With Computer, Phone Firms Intensifies May 4, 1992
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Taken from Los Angeles Times (Business, Part D, Page 2)
"Spy Agencies Oppose Technology That Will Prevent
Them From Tapping Into Data And Conversations"
Top computer and telecommunications executives are fighting attempts by the FBI
and the nation's intelligence community to ensure that government surveillance
agencies can continue to tap into personal and business communications lines as
new technology is introduced.
The debate flared last week at a House Judiciary Committee hearing on foreign
intelligence agencies' attempts to gather U.S. companies' secrets. The
committee's chairman, Representative Jack Brooks (D-Tex.), called the hearing
to complain that the FBI and the National Security Agency (NSA) are hurting
companies' attempts to protect their communications.
The issue has been heating up on two fronts. Phone companies have been
installing digital equipment that frustrates phone tapping efforts, and
computer companies are introducing new methods of securing data transmissions
that are almost impossible for intelligence agencies to penetrate.
The controversy centers, in part, on an FBI attempt to persuade Congress to
force telephone companies to alter their digital networks, at a possible cost
of billions of dollars that could be passed on to ratepayers, so that the FBI
can continue performing court-authorized wiretaps. Digital technology
temporarily converts conversations into computerized code, which is sent at
high speed over transmission lines and turned back to voice at the other end,
for efficient transmission.
Civil liberties groups and telecommunications companies are fiercely resisting
the FBI proposal, saying it will stall installation of crucial technology and
negate a major benefit of digital technology: Greater phone security. The
critics say the FBI plan would make it easier for criminals, terrorists,
foreign spies and computer hackers to penetrate the phone network. The FBI
denies these and other industry assertions.
Meanwhile, the NSA, the nation's super-secret eavesdropping agency, is trying
to ensure that government computers use a computer security technology that
many congressmen and corporate executives believe is second-rate, so that NSA
can continue monitoring overseas computer data transmissions. Corporations
likely would adopt the government standard.
Many corporate executives and congressmen believe that a branch of the Commerce
Department that works closely with NSA, the National Institute of Standards and
Technology (NIST), soon will endorse as the government standard a computer-
security technology that two New Jersey scientists said they penetrated to
demonstrate its weakness. NIST officials said that their technology wasn't
compromised and that it is virtually unbreakable.
"In industry's quest to provide security (for phones and computers), we have a
new adversary, the Justice Department," said D. James Bidzos, president of
California-based RSA Data Security Inc., which has developed a computer-
security technology favored by many firms over NIST's. "It's like saying that
we shouldn't build cars because criminals will use them to get away."
"What's good for the American company may be bad for the FBI" and NSA, said
Representative Hamilton Fish Jr. (R-N.Y.). "It is a very heavy issue here."
The situation is a far cry from the 1950s and 1960s, when companies like
International Business Machines Corporation and AT&T worked closely with law-
enforcement and intelligence agencies on sensitive projects out of a sense of
patriotism. The emergence of a post-Vietnam generation of executives,
especially in new high-technology firms with roots in the counterculture, has
short-circuited the once-cozy connection, industry and government officials
said.
"I don't look at (the FBI proposal) as impeding technology," FBI Director
William S. Sessions testified at the Judiciary Committee hearing. "There is a
burden on the private sector . . . a price of doing business."
FBI officials said they have not yet fumbled a criminal probe due to inability
to tap a phone, but they fear that time is close. "It's absolutely essential
we not be hampered," Sessions said. "We cannot carry out our responsibilities"
if phone lines are made too secure.
On the related computer-security issue, the tight-lipped NSA has never
commented on assertions that it opposes computerized data encryption
technologies like that of RSA Data Security because such systems are
uncrackable.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
For more articles on this same topic, please see:
Phrack 38, File 11; The Digital Telephony Proposal.
_______________________________________________________________________________
FBI Seeks Compiled Lists For Use In Its Field Investigation April 20, 1992
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
By Ray Schultz (DMNews)(Page 1)
Special Thanks: The Omega and White Knight
Washington, D.C. -- The Federal Bureau of Investigation, in a move that could
spell trouble for the industry, reported is seeking commercial mailing lists
for use in its investigations.
Spokespersons for both MetroMail Corporation and Donnelley Marketing confirmed
that they were approached for services within the last two weeks and other
firms also received feelers.
Neither of the identified firms would discuss details, but one source familiar
with the effort said the FBI apparently is seeking access to a compiled
consumer database for investigatory uses.
The FBI agents showed "detailed awareness" of the products they were seeking,
and claimed to have already worked with several mailing list companies,
according to the source.
Metromail, which has been supplying the FBI with its MetroNet address lookup
service for two years, did not confirm this version of events. Spokesperson
John Tomkiw said only that the firm was asked by the FBI about a "broadening"
of its services.
The firm has supplied the bureau with a full listing of its products and
services, but has not yet been contacted back and is not sure what action it
will take, said Tomkiw.
Donnelley was also vague on the specifics of the approach, but did say it has
declined any FBI business on the grounds that it would be an inappropriate use
of its lists.
FBI spokesperson Bill Carter was unable to provide confirmation, although he
did verify that the FBI uses MetroNet to locate individuals needed for
interviews.
If the database scenario is true, it would mark the first major effort by a
government agency to use mailing lists for enforcement since the Internal
Revenue Service tried to use rented lists to catch tax cheats in 1984.
"We have heard of it," said Robert Sherman, counsel to the Direct Marketing
Association and attorney with the firm of Milgrim Thomajan & Lee, New York.
"We'd like to know more about it. If it is what it appears to be, law
enforcement agents attempting to use marketing lists for law enforcement
purposes, then the DMA and industry would certainly be opposed to that on
general principles."
Such usage would "undermine consumer confidence in the entire marketing process
and would intrude on what otherwise would be harmless collection of data,"
Sherman said.
RL Polk, which has not been contacted, said it would decline for the same
reasons if approached.
"That's not a proper use of our lists," said Polk chairman John O'Hara. "We're
in the direct mail business and it's our policy not to let our lists be used
for anything but marketing purposes."
According to one source, who requested anonymity, the FBI intimated that it
would use its subpoena power if refused access to the lists.
The approaches, made through the FBI training center in Quantico, VA,
reportedly were not the first.
The FBI's Carter said the MetroNet product was used for address lookups only.
"If a field office needs to locate somebody for an interview, we can check the
[MetroNet] database as to where they reside and provide that information to the
field office," he said.
However, the product was cited as a potential threat to privacy last year by
Richard Kessel, New York State Consumer Affairs Commissioner.
In a statement on automatic number identifiers, Kessel's office said that "one
firm offers to provide 800-number subscribers immediate access to information
on 117-million customers in 83-million households nationwide.
"The firm advertises that by matching the number of an incoming call into its
database, and an 800 subscriber within seconds can find out such information as
whether the caller has previously purchased items from their companies."
Kessel included a copy of a trade ad for MetroNet, in which the product is
presented as a direct marketing tool.
Under the headline "Who am I?" the copy reads as if it is by an imaginary
consumer.
"The first step to knowing me better is as easy as retrieving my phone number
in an Automatic Number Identification environment," it says. "Within seconds
you can search your internal database to see if I've purchased from you before.
And if it's not to be found, there's only one place to go -- to MetroNet.
"MetroNet gives you immediate access to information on 117-million consumers in
83-million households nationwide: recent addresses; phone numbers; specific
demographics and household information."
Tomkiw defended the product, saying its primary focus is "direct marketing.
We're always sensitive to those types of issues."
MetroNet works as an electronic white pages, but does not contain "a lot of
demograhpic data," he said. "It's primarily used by the real estate and
insurance industries."
The 1984 IRS effort reportedly was a failure, but it created a public outcry
and much negative publicity for the industry. Though Polk, MetroMail and
Donnelley all refused to rent their lists for the effort, the IRS was able to
locate other lists through Dunhill of Washington. Most industry sources say
that such efforts are doomed to fail because lists are useful only in
identifying people in aggregate, not as individuals."
_______________________________________________________________________________
Do You Know Where Your Laptop Is? May 11, 1992
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
By Robert Kelly (InformationWeek)
Are your executives carrying computers with critical data?
If so, company secrets are vulnerable
It was an expensive round of window shopping. On December 17, 1990, David
Farquhar parked his car in downtown London to browse through an automobile
showroom. A Wing Commander in Great Britain's Royal Air Force, he was enjoying
a few moments away from the mounting pressures leading up to the Gulf War,
which would begin less than a month later.
But Farquhar made a huge mistake: He left his laptop computer in his car. And
although he was gone a mere five minutes, by the time he returned, the laptop
had been stolen -- as had U.S. General Norman Schwarzkopf's plans, stored in
the computer's disk drive, for the upcoming Allied strike against Iraq.
Farquhar paid dearly for his carelessness. Soon after the red-faced Wing
Commander reported the incident, he was court-martialed, demoted, and slapped
with a substantial fine. The computer was anonymously returned a week later-
with the disk drive intact.
Farquhar may feel alone in his dilemma and rue the wrong turn his life has
taken, but such episodes are anything but isolated. Though electronic security
sources say it's too soon to keep score yet on the exact number of laptop
thefts, anecdotally, at least, it appears a computer crime wave is underway.
According to electronic data experts, during the past 18 months, as laptop
purchases have soared, theft has taken off also.
For instance, at the Computer Security Institute (CSI), an organization that
ironically comprises corporate security experts, a half-dozen members have
already reported their company laptops stolen, says Phil Chapnick, director of
the San Francisco-based group. And there are probably more that aren't
speaking about it, he adds: "Victims prefer to maintain a low profile."
So do the perpetrators, obviously. But a picture of who some of them are is
beginning to emerge, says John Schey, a security consultant for the federal
government. He says a roving band of "computer hit men" from New York, Los
Angeles, and San Francisco has been uncovered; members are being paid upwards
of $10,000 to steal portable computers and strategic data stored on those
machines from executives at Fortune 1,000 companies. Federal agents, Schey
adds, are conducting a "very, very dynamic and highly energized investigation
to apprehend the group." U.S. law enforcement authorities refuse to comment on
the issue.
Laptop theft is not, of course, limited to the United States. According to
news reports, and independently confirmed by InformationWeek, visiting
executives from NCR Corp. learned that reality the hard way recently when they
returned to their rooms after dinner at the Nikko Hotel in Paris to find the
doors removed from their hinges. The rooms were ransacked, turned upside down,
but the thieves found what they were looking for. All that was taken were two
laptops containing valuable corporate secrets.
Paul Joyal, president of Silver Spring, Maryland, security firm Integer and a
former director of security for the Senate Intelligence Committee, says he
learned from insiders close to the incident that French intelligence agents,
who are known for being chummy with domestic corporations, stole the machines.
Joyal suspects they were working for a local high-tech company. An NCR
spokesman denies knowledge of the incident, but adds that "with 50,000
employees, it would be impossible to confirm." Similar thefts, sources say,
have occurred in Japan, Iraq, and Libya.
It's not hard to figure out why laptop theft is on the rise. Unit sales of
laptops are growing 40% annually, according to market researchers Dataquest
Inc., and more than 1 million of them enter the technology stream each year.
Most of the machines are used by major companies for critical tasks, such as
keeping the top brass in touch when they're on the road, spicing up sales calls
with real data pulled from the corporate mainframe, and entering field data
into central computers. Because of laptops, says Dan Speers, an independent
data analyst in West Paterson, New Jersey, "there's a lot of competitive data
floating around."
And a perfect way to steal information from central corporate databases.
Thieves are not only taking laptops to get at the data stored in the disk
drives, but also to dial into company mainframes. And sometimes these thieves
are people the victims would least suspect. One security expert tells of "the
wife of a salesman for a Fortune 500 manufacturing firm who worked for a direct
competitor." While her husband slept, she used his laptop to log on to a
mainframe at his company and download confidential sales data and profiles of
current and potential customers. "The husband's job," says the security
expert, "not the wife's, was terminated."
Such stories, and there are plenty of them, have led many U.S. companies to
give lip service to laptop theft, but in almost all cases they're not doing
much about it. "Management has little or no conception of the vulnerability of
their systems," says Winn Schwartau, executive director of InterPact, an
information security company in Nashville. That's not surprising, adds CSI's
Chapnick: "Security typically lags technology by a couple of years."
Playing Catch-Up
Still, some companies are trying to catch up quickly. Boeing Corp., Grumman
Corp., and Martin Marietta Corp., among others, have adopted strict policies on
portable data security. This includes training staffers on laptop safety
rules, and even debriefing them when they return from a trip. One company,
sources say, was able to use such a skull session to identify a European hotel
as a threat to data security, and put it on the restricted list for future
trips.
Conde Nast Publications Inc. is taking the the issue even more seriously. The
New York-based magazine group's 65-member sales force uses laptops to first
canvas wholesalers, then upload data on newsstand sales and distribution
problems to the central mainframe. To ensure that the corporate database isn't
poisoned by rogue data, "we have a very tight security system," says Chester
Faye, Conde Nast's director of data processing. That system's centerpiece is a
program, created in-house at Conde Nast, that lets the mainframe read an
identification code off of the chip of each laptop trying to communicate with
it. "The mainframe, then, can hang up on laptops with chip IDs it doesn't
recognize and on those reported stolen by sales reps," says Faye.
And some organizations hope to go to even greater lengths. InterPact's
Schwartau says a government agency in Great Britain wants to build a device
that attaches to a user's belt and disconnects communication to a mainframe
when the laptop deviates 15 degrees vertically. The reason: To protect
corporate data if the person using the laptop is shot and killed while dialing
in.
Users say they're taking such extreme measures because the vendors don't; most
laptops arrive from the factory without adequate security protection. Most
require a password before booting, but thieves can decipher them with relative
ease. Some also have removable hard drives, but again, these can be stolen
with similar impunity and therefore provide little protection.
Ironically, none of this may be necessary; experts emphasize that adding
security to a laptop will not serve to price it out of existence. By some
estimates, building in protection measures raises the price of a laptop by at
most 20%. Beaver Computer Corp. in San Jose, California, for example, has a
product to encrypt the data on a laptop's hard drive and floppy disks. With
this, the information can't be accessed without an "electronic key" or
password. BCC has installed this capability on its own laptop, the SL007,
which seems to have passed muster with some very discriminating customers:
Sources close to the company say a major drug cartel in Colombia wants some of
these machines to protect drug trafficking data.
Equally important is the need to protect data in the host computer from hackers
who have stolen passwords and logons. Security Dynamics Technologies Inc. in
Cambridge, Massachusetts, offers the credit card-sized SecurID, which can be
attached to most laptops. SecurID consists of a $60 device that is connected
to the laptop, and additional hardware (Cost: $3,800 to $13,000) installed on
the host. SecurID continuously changes the logon used to dial into the host;
by the time a hacker gets around to using a stolen logon, for instance, it will
be obsolete.
But what if all measures fail? You can always insure the hardware; can you
insure the data? Not yet, but soon, says Nashville-based newsletter Security
Insider Report. An upstart startup will soon begin offering data insurance
policies that may include coverage of information lost when a portable computer
is stolen.
Company Cooperation
>From protection to insurance, however, no measure can work unless laptop owners
take the problem seriously. And that doesn't always happen. Case in point: In
the late 1980s, the Internal Revenue Service approached Schwartau's firm to
develop a blueprint for securing the confidential data that travels over phone
lines between the 30,000 laptops used by field auditors and IRS offices.
Schwartau came up with a solution. But the IRS shelved its security plans, and
has done nothing about it since, he charges.
Even those who should know better can run afoul of the laptop crime wave.
About 18 months ago, Ben Rosen, chairman of laptop maker Compaq Computer Corp.,
left his machine behind on the train; it was promptly stolen. Rosen insists
there was no sensitive data in the computer, but he did lose whatever he had.
Unlike Schwarzkopf's plans, the laptop was never returned.
_______________________________________________________________________________